This topic describes the alert rules for the security of RDS instances. You can configure and enable alert rules in the Simple Log Service console to monitor the security of RDS instances. If an alert is triggered, you can identify the error cause and fix the error at the earliest opportunity.
Alert rules
The following alert rules are supported. For information about how to set alert parameters, configure whitelists, and perform other relevant operations, see Configure alerts.
RDS Slow SQL detection
ID | sls_app_audit_db_at_rds_slow_sql |
Name | RDS Slow SQL detection |
Version | 1 |
Type | Cloud Platform, Alicloud, Database Security, and RDS Security |
Usage | Monitors slow SQL queries in RDS instances. If the time to execute an SQL query exceeds the value of the Threshold, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings |
|
External Configurations | None. |
Solution | Check whether slow SQL queries occur in the RDS database that triggered the alert. |
Prerequisites | The SQL Audit Log switch of RDS is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
RDS Data Mass Deletion Alert
ID | sls_app_audit_db_at_rds_batch_del_sql |
Name | RDS Data Mass Deletion Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, Database Security, and RDS Security |
Usage | Monitors whether a large amount of data is deleted in RDS databases. If the number of data rows that are deleted is greater than or equal to the value of the Threshold parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings |
|
External Configurations | None. |
Solution | Check whether a large amount of data is deleted in the RDS database that triggered the alert. |
Prerequisites | The SQL Audit Log switch of RDS is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
Detection of RDS Visit through Internet
ID | sls_app_audit_db_at_rds_internet_access |
Name | Detection of RDS Visit through Internet |
Version | 1 |
Type | Cloud Platform, Alicloud, Database Security, and RDS Security |
Usage | Monitors whether RDS instances are accessed by external IP addresses. If an RDS instance is accessed by an external IP address, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Severity: The severity level of the alert. Valid values: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: High-8. |
External Configurations | You can specify a whitelist. If an RDS instance is in the whitelist and the RDS instance is accessed by an external IP address, no alert is triggered. |
Solution | Do not allow RDS instances that are not included in the whitelist to be accessed by external IP addresses. |
Prerequisites | The SQL Audit Log switch of RDS is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
RDS Query SQL Average Execution Time Monitoring
ID | sls_app_audit_db_at_rds_select_speed |
Name | RDS Query SQL Average Execution Time Monitoring |
Version | 1 |
Type | Cloud Platform, Alicloud, Database Security, and RDS Security |
Usage | Monitors the average execution duration of an SQL query in RDS instances. If the average execution duration of an SQL query is greater than or equal to the value of the Threshold parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings |
|
External Configurations | None. |
Solution | Check whether an exception occurs in the RDS database that triggered the alert. |
Prerequisites | The SQL Audit Log switch of RDS is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
RDS Instance Update Peak Monitoring
ID | sls_app_audit_db_at_rds_update_peak |
Name | RDS Instance Update Peak Monitoring |
Version | 1 |
Type | Cloud Platform, Alicloud, Database Security, and RDS Security |
Usage | Monitors the data change in an RDS database. If the amount of data that is changed is greater than or equal to the value of the Threshold parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings |
|
External Configurations | None. |
Solution | Check whether an exception occurs on the RDS instance that triggered the alert. |
Prerequisites | The SQL Audit Log switch of RDS is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
RDS Instance Query Peak Monitoring
ID | sls_app_audit_db_at_rds_query_peak |
Name | RDS Instance Query Peak Monitoring |
Version | 1 |
Type | Cloud Platform, Alicloud, Database Security, and RDS Security |
Usage | Monitors the maximum rows of data to query each time. If the data rows that are queried is greater than or equal to the value of the Threshold parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings |
|
External Configurations | None. |
Solution | Check whether an exception occurs in the RDS database that triggered the alert. |
Prerequisites | The SQL Audit Log switch of RDS is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
RDS Instance Released Alert
ID | sls_app_audit_db_at_rds_query_peak |
Name | RDS Instance Released Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, Database Security, and RDS Security |
Usage | Monitors the release of RDS instances. If an RDS instance is released, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Severity: The severity level of the alert. Valid values: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: High-8. |
External Configurations | None. |
Solution | Check whether an exception occurs in the RDS database that triggered the alert. |
Prerequisites | The SQL Audit Log switch of RDS is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
RDS Frequent Visit IP Detection
ID | sls_app_audit_db_at_rds_visit |
Name | RDS Frequent Visit IP Detection |
Version | 1 |
Type | Cloud Platform, Alicloud, Database Security, and RDS Security |
Usage | Monitors the frequent access from an IP address to an RDS instance. If the time of access from an IP address to an RDS instance is greater than or equal to the value of the Threshold parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings |
|
External Configurations | You can specify a whitelist of IP addresses. If an RDS instance is frequently accessed by an IP address on the whitelist, no alert is triggered. |
Solution | Check whether an exception occurs on the RDS instance that triggered the alert. |
Prerequisites | The SQL Audit Log switch of RDS is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
RDS Update SQL Average Execution Time Monitoring
ID | sls_app_audit_db_at_rds_update_speed |
Name | RDS Update SQL Average Execution Time Monitoring |
Version | 1 |
Type | Cloud Platform, Alicloud, Database Security, and RDS Security |
Usage | Monitors the time interval to change the average execution duration of an SQL query in RDS instances. If the time interval to change the average execution duration of an SQL query is greater than or equal to the value of the Threshold parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings |
|
External Configurations | None. |
Solution | Check whether an exception occurs on the RDS instance that triggered the alert. |
Prerequisites | The SQL Audit Log switch of RDS is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
Too Many RDS Login Failures Alert
ID | sls_app_audit_db_at_rds_login_err_cnt |
Name | Too Many RDS Login Failures Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, Database Security, and RDS Security |
Usage | Monitors the logon failures of RDS instances. If the number of logon failures of an RDS instance within 5 minutes is greater than or equal to the value of the Threshold parameter, an alert is triggered. |
Check Frequency | Fixed interval: 4 minutes. |
Time Range | The data of the last 5 minutes is checked. |
Parameter Settings |
|
External Configurations | None. |
Solution | Check whether an exception occurs on the RDS instance that triggered the alert. |
Prerequisites | The SQL Audit Log switch of RDS is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
Rds Mass Data Update Event Alert
ID | sls_app_audit_db_at_rds_batch_update_sql |
Name | Rds Mass Data Update Event Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, Database Security, and RDS Security |
Usage | Monitors whether a large amount of data is changed on RDS instances. If the number of data rows changed on an RDS instance is greater than or equal to the value of the Threshold parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings |
|
External Configurations | None. |
Solution | Check whether an exception occurs on the RDS instance that triggered the alert. |
Prerequisites | The SQL Audit Log switch of RDS is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
RDS Dangerous SQL Execution Alert
ID | sls_app_audit_db_at_rds_danger_sql |
Name | RDS Dangerous SQL Execution Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, Database Security, and RDS Security |
Usage | Monitors invalid SQL queries for RDS instances. If an invalid SQL query is detected, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings |
|
External Configurations | None. |
Solution | Check whether an exception occurs on the RDS instance that triggered the alert. |
Prerequisites | The SQL Audit Log switch of RDS is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |
Too Many RDS SQL Execution Errors Alert
ID | sls_app_audit_db_at_rds_sql_err_cnt |
Name | Too Many RDS SQL Execution Errors Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, Database Security, and RDS Security |
Usage | Monitors the errors that occur when SQL queries are executed. If the number of errors that occur is greater than or equal to the value of the Max errors parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings |
|
External Configurations | None. |
Solution | Check whether an exception occurs on the RDS instance that triggered the alert. |
Prerequisites | The SQL Audit Log switch of RDS is turned on. To turn on the switch, go to the Log Audit Service console, and then choose . |